Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45050

Change Windows Kerberos client to use default credentials when no password is specified

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.3, 3.6 Required, 4.0.18
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.2, v4.0, v3.6
    • Sprint:
      Security 2019-12-30
    • Case:

      Description

      The Windows Kerberos client callsĀ AcquireCredentialsHandle with a populated SEC_WINNT_AUTH_IDENTITY even when the user provides no password. In some customer setups, AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS as a result because the mongo client is asking for Windows to return something other then the default credentials.

      While I cannot repro this issue locally, we have confirmed with the customers that if AcquireCredentialsHandle is called without SEC_WINNT_AUTH_IDENTITY, then clients can successfully connect. Both a patched shell and the node.js driver can successfully connect in these cases.

      The fix is to not pass SEC_WINNT_AUTH_IDENTITY to AcquireCredentialsHandle unless the user specifies a password.

        Attachments

          Activity

            People

            Assignee:
            mark.benvenuto Mark Benvenuto
            Reporter:
            mark.benvenuto Mark Benvenuto
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: